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J^: 1 Introduction 

Most of the research on protocol security in the past two decades has been conducted assuming a free 
message algebra. However, operators such as Exclusive-OR (XOR) possess algebraic properties. There 
were instances when a protocol was secure in the free algebra, but insecure in the presence of equational 
theories induced by such operators ifTOl . Hence, it is important to conduct protocol analysis with careful 
u. consideration of equational theories. 

Unification is an important part of symbolic protocol analysis that is affected by equational theories. 
If we can disable them, i.e., if we can construct protocol messages such that unification in the presence 



(N 



of equational theories implies the same unification in their absence, then it is a good step in simplifying 
■ protocol analysis in the presence of theories. 

This is the point we consider in this paper. We formulate a new tagging scheme for protocol messages 
that essentially disables disjoint equational theorie^jl As a consequence of this result, we could recently 
l/^ ■ achieve the following, immensely useful result for protocols involving the XOR operator that possesses 

^ ! the AC UN theory: 

o 

Q \ Under a certain tagging scheme, if a protocol is secure under a free algebra, then it is secure 

in the presence of the AC UN theory. 



X 
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We provide a full formal proof of this result in (9|. This result essentially disables the AC UN theory 
from having any effect on protocol security. Further, it allows us to lift many existing results obtained 
under a free algebra. For instance, the classical "small-system" decidability result by Lowe in his pioneer 
work (H states, 

"If there is no attack on a small system of a protocol (with exactly one agent playing each 
role of the protocol), leading to a breach of secrecy, then there is no attack on any larger 
system leading to a breach of secrecy." 

Although Lowe has achieved this result in a free term algebra, we can tag protocols in our scheme, 
and use our main result of @ to conclude that the small-system result is valid even under the AC UN 
theory, since no new attacks are enabled. We can similarly recover many existing results achieved under 
a free algebra, such as simplifying transformations for protocols Q, preventing type-flaw and multi- 
protocol attacks (Hill. 



'Disjoint theories are those where the equations in the theories do not share operators. 
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Disabling equational theories in unification 



Such a similar result is possible under other theories such as ACU U Inverse and ACU U Idempotence 
as well. However, while a crucial component of (9l is disabling equational unification (which is the only 
point of this paper), the protocol analysis framework used in is from 0, which is tailored only to the 
AC UN theory. To achieve a similar result under other theories, we would have to use the result of the 
current paper in suitable protocol models such as J4]]. This is a topic of current research. 

It is very important to note that our result does not_ consider equations of the form [a,b] ffi [c,d] = 
[a®c,b®d], which would hold when the operator ffi is homomorphic. The reason is that, we use the 
algorithm by Baader & Schulz for combined theory unification [2] to achieve our result. The algorithm 
cannot handle such equations that use operators in disjoint theories (the above equation uses pairing, 
which is a free operator and the XDR operator). However, some implementations could lead to such 
equations, and we consider it an important direction of future research to include them. 

2 Term Algebra 

We will assume the existence of a basic, indivisible set of terms called variables and constants denoted 
as Vars and Constants respectively. We define a set of operators, Ops = StdOps (J eqop, where, StdOps = 
{sequence, penc,senc,pk,sh}. We use some syntactic sugar in using some of these operators: 
sequence (ti,...,t n ) = [h,...,t n ],penc(t,k) = [t]j* , senc(t,k) = [t]£, eqop(h, . . . ,t n ) = h®. ..©/„. 

Note that, although we use the symbol ffi for eqop that is conventionally used for XDR, here we treat 
it as a general operator that has some equational theory. 

The term algebra is the infinite set, Terms, where Vars U Constants C Terms and (Vri ,...,£„ G Terms;/ G 
Ops)(f(t\,. ..,/«) G Terms). We will define two relations, subterm and interm denoted C and <s respec- 
tively on terms such that: 

• t C t' iff / = t' or t' = f{t\ ,...,?„) where / G Ops and t C t" for some t" G {h, . . . , t n }. 

• tmt'ffi (3t h ...,t m ;ie{\,...,m})((t l e...et m = t')A(t i = t)). 

• SubTerms(T) = {t \ (3t' G T)(t C t')}. 

Interms are also subterms, but subterms are not necessarily interms. For instance, [I, a] is both an 
interm and a subterm of [I, a] © [2,b] © [3, but ny is only a subterm in it, not an interm. 

Definition 1. [Equation and Theory] An equation is a tuple {term, term). We write t\ = e ti if e = (t\ , ^} 

is an equation. A theory is a set of equations. IfTh is a theory, we write t =n t', if there exist a finite 
sequence of equations e\,...,e n G Th such that, t = ei t\, t\ = ei t% ■ ■ ■, t n -\ = Bn t'. 

The theory STD for StdOps is a set of equations between syntactically equal terms: 

{([&,...,*„], [h,...,t n ]), ([t]f, [t]p), ([t]?, [t]?), (pk(t), pk(t)), (sh(h,t 2 ), sh(h,t 2 ))}. 

The theory EQTH has equations solely with the eqop (ffi) operator. For our main result, we will 
consider the ACUN theory as EQTH, but in principle, this can be any set of equations where StdOps are 
not used. There can also be multiple operators in EQTH: 

{(h@{t2@h), (t\®t 2 )®h), (h®t 2 , t 2 ®ti), (t®0, t), (t®t, 0)}. 

We also define FEQOP, which is a theory in which the ffi operator is free: 

FEQOP = {(fiffi...ffif n , h®...®t n )}. 

Definition 2. [Operators] 

Let Operators(Th) denote all the operators used to form the equations in the theory TtJH - 



2 We use an underscore (_) in a formula, when the value in it doesn't affect the truthness of the formula. 
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Operators(Th) = < op \ (3e 



G Th;ti,tz,t G Terms) 



((?C?l)V(?C? 2 ))A 
(e={h, t 2 ))A(t = op(_,...,J 



■)) 




Theories Th\ and Th 2 are disjoint if Operators (Th i) CI Operators (Th 2 ) = {}• 

We will say that a term ? is pwre wrt the theory 772, if all of its subterms are made only from 
Operators {Tli): pure(f,77i) <^ (Vop(_, . . . , _) C t)(op G Operators (Th)). 

We will now consider equational unification. We will abbreviate "Unification Algorithm" to UA and 
"Unification Problem" to UP: 

Definition 3. [Unification Problem, Unifier, Unification Algorithm] 



A Th-XJP is a tuple of terms (m, t) denoted m W71 t, where m and t are pure wrt Th. If Th is a 



theory, a set ofTh-XJPs, T, is 77j-Unifiable with a set of substitutions o called a 77i-Unifier, if (Vm 
t G r)(ma =Th to). A Th-Um&er a is a most general 777-Unifier, for a set of 77z-UPs T, if every other 
Th-Unifier p for T is such that, p = op. A complete Th-UA returns all possible most general Th-Unifiers 
for any set ofTh-UPs. 

UAs for two disjoint theories Th\ and Th 2 , may be combined to output the unifiers for a set of 
(Th\ U 77j2)-UPs using Baader & Schulz Combination Algorithm (BSCA) (2J. We give a more detailed 
explanation in Appendix El using an example UP for the interested reader. 

BSCA first takes as input, a set of (TTii U 77z2)-UPs, say T, and applies some transformations on them 
to derive T^.\ and that are sets of T/ji-UPs and 77i2-UPs respectively. It then combines the unifiers 
for T5 1 and T5 2 obtained using Th\-\JK and 77i2-UA respectively (see Appendix lAl Def.0 to form the 
unifier(s) for Y. Further, if all UPs in T=, _\ and T$ .2 are T/zi-Unifiable and 77?2-Unifiable respectively, then 
T is (77n U r/i 2 )-Unifiable. 

It has been proven in O that the combined unifier obtained is a complete (Th\ U T/i2)-UA for any 
(Th\ U T/i2)-UP if T/ii-UA and Th 2 -\JA are complete and if Th\ and Th 2 are disjoint. 



3 DN UT - Disabling Non-Unifiability of Terms 



We now state our main requirement on terms, namely DNUT. 

Definition 4 (DNUT). A set of terms T is DNUT-Satisfying or DNUT-Satisfying(r) iff: 



1. No two interms of an eqop term are STD-Unifiabl4H" 



(W G SubTerms(T);n e N) ( 




) 



2. No interm of an eqop term is STD-Unifiable with an interm of any other eqop term: 



(VI 



7/ G SubTerms(T)) ((3^,^)((?l mt)A (t[ (s t') [t x ^ S TD A))) . 



3. The Unity element is not a part of any eqop term: 



(Vf 1 © . . . 8 t n G SubTerms(T) ; n G N) ( ( j&i G { 1 , . . . , n}) (t t = 0)) . 
3 N is the set of natural numbers. 
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Disabling equational theories in unification 



The first requirement of DNUT can be satisfied by ensuring that every term in the set {ti,...,t n } 
is a pair that starts with a distinct constant, if t\ ® ...®t n is a subterm of T . For instance, consider, 
A ®N B © [N A ]^ k{B) © \Nb\k- This can be changed to [1,A] © [2,N B ] © [3, [AU]^ (B) ] © [4, [N B ]%] so that, no 
two terms in the set {[1,A], [2,N B ], [3, [N A ]^ k , B) ], K, [Afe]* ]} are STD-Unifiable. 

To explain the second requirement of DNUT, consider another term, B®Na © PVb]~L a \ © PVa]^. We 
can introduce tags in this term as well, similar to the previous term, as [1,5] © [2,iV A ] © [3, [Nb]~^ a J © 
[4, [2Ya]^], so as to satisfy the first requirement. However, this would violate the second requirement, 
since interms in both might be unifiable. For instance, [I, A] in the first term is STD-Unifiable with 
[1,5] in the second. To avoid this, we can range the interms in the first eqop term from 1.1 to 1.4, and 
the second from 2.1 to 2.4. So the terms are now, [1.1, A] © [1.2, N B ] © [1.3, [N A ]^ B) ] © [1.4, [N B ]g] and 
[2.1,5] © [2.2, N A ] © [2.3, [Afc]~L A) ] © [2.4, [N A ]fi B ]. Obviously, they satisfy the third requirement as well. 

Below we give a protocol that has multiple XOR terms, to illustrate how DNUT may be satisfied in 
protocols where there might be many complex and nested terms: 



Original protocol 


Changed to satisfy DNUT 


A^5: A, 5 

B^A: [N B ,B]®[N B ,A]^ k{A) 
A^B: A@N B @[A®N B ]^ m @ 

A^B: [N A @N B ,A,B]^ k{A) ® 

[n a ®a,n b ®b]% a(BNb 


A, 5 

[2.1,^,5]© [2.2, [N B ,A]^ k{A) ] 

[3.1.A] © [3.2,N B ] © [3.3, [[3.3.1,A]ffi 

[3.3.2,^]^ (B) ]ffi[3.4,[iV A ]-] 

[4.1, [[4.1.1,Afc] ffi[4.1.2,^],A,5]^ (A) ]© 

[4.2,[[4.2.1,Af A ]ffi[4.2.2,A], [4.3A,N B ]® 

[ 4 - 3 - 2 ' 5 ]][4.4.1,W A ]©[4.4.2,W B ]] 



4 Main Result 



We will now prove that, if DNUT is followed in a set of terms, the effects of equational theories are 
totally disabled. 

Theorem 1. Let T be a set of terms that are DNUT-Satisfying. Then, if two non-variables are unifiable 
in the (STDU EQTH) theory, then they are also unifiable in the (STDU FEQOP) theory: 

DNUT-Satisfying (T) => (Vm,* G T)((m,t Vars) A (m ~(stdueqth) (« ~(stdufeqop) *))• 

Proof. Suppose {(m, t)} = T. 

From BSCA, for m and t to be (STD U EQTH)-Unifiable, every (mi, t\) G T 5 .i should be STD- 
Unifiable and every (mi, t\) G T52 should be EQTH-Unifiable: 

(V(mi, h) G r 5 .i)(mi «std h) A (V(mi, h) G r 5 . 2 )(mi « E qth h). (1) 

Suppose (mi, t\) G T=, 2- From BSCA, we have that, for (mi, t\) to be EQTH-Unifiable, for every 
interm x of m, there should exist a term y as an interm of mi or t\ such that, x and y are STD-Unifiable 
(unless x is the Unity element): 

(Vx) ( [x m mi) A (x / 0) (3y)(((y d mi) V (y <s fi)) A (x « S td y)) ) • (2) 

Now from DNUT Condition 3, no eqop term has the Unity element as an interm. From DNUT 
Condition 1, interms within an eqop term should not be STD-Unifiable. Hence, y cannot be an interm 
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of mi. Similarly, from DNUT Condition 2, interms between two different eqop terms should not be 
STD-Unifiable as well. Hence, y cannot be an interm of t\ either. 

The only other way for m\ and t\ to be EQTH-Unifiable is that mi must be equal to t\ , in which case 
they are both EQTH-Unifiable and FEQOP-Unifiable. 

Thus in general, every (mi, h) belonging to T$ 2 is FEQOP-Unifiable. Further, from (Q]), every 
(mi, t\) belonging to T$.\ is STD-Unifiable. 

Hence, (m, t) is (STD U FEQOP)-Unifiable. 

□ 

5 Conclusion 

In this paper, we showed that tagging messages that were constructed with operators possessing algebraic 
properties, disables the equational theories induced by those properties. 

Tags specified in DN UT basically disable cancellation of terms entirely, both inside a term or between 
different terms. For ACUIdem and ACUInverse, no change is required at all in DNUT. For other theories 
that are disjoint with the standard theory, we can use similar tagging to disable cancellation, and disable 
the theories. In the presentation and the full paper, we will explain those details and also the impact of 
the main result on symbolic protocol analysis. 

The main result easily falls apart under homomorphic encryption (HE). For instance, the UP [I, A] « 
[3, a] © [6, b] © [4,C] has DNUT-Satisfying terms. It is unifiable under STD U HE with {a/A,b/C} as 
the unifier, if binary encoding is used for the tags 3, 4 and 6, since [3, a] ffi [6,b] ffi [4,C] = [Oil © 110© 
100,affiZ?ffiC] under HE, which is equal to [I, a] i£C = b. But it is not under STD U FEQOP. 

It seems that extending the result under non-disjoint theories such as STD and HE will be quite 
challenging. Although BSCA cannot be used, I conjecture that new unification algorithms such as HI 
might be useful in this pursuit. I look forward to discussions with the workshop participants toward 
further work in this direction. 
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A Bader & Schulz Combined theory unification algorithm 

In this section, we will describe Bader & Schulz's combination algorithm J2) (abbreviated to BSCA) that 
combines unification algorithms for two disjoint theories. 

We will use the following (STD U ACUN)-UP as our running example: 

[MaU( B) ~STDUACUN [1,#4*(«) © [2,A] © [2,b]. 



Step 1 (Purify terms). BSCA first "purifies" the given set of (Th = Th\ U Th-i) -unification problems, 
r, into a new set of problems T\ through the introduction of some new variables such that, all the terms 
are "pure" wrt Th\ or 77i2, but not both. 

? ? 

If our running example was T, then, the set of problems in T\ are W ~std [ljia]pfc(s)» X ~std 

?? 7 

[l,NB] p k(a),Y ~std P, A], Z ~std [2,b], and W ~acun X®Y ®Z, where W,X,Y,Z are obviously new 
variables that did not exist in T. 

Step 2. (Purify problems) Next, BSCA purifies the unification problems such that every problem in 
the set has both terms belonging to the same theory. For our example problem, this step can be skipped 
since all the problems in Ti already have both their terms purely from the same theory (STD or ACUN)). 

Step 3. (Variable identification) Next, BSCA partitions variables in 1^2 into a partition VarldP such 
that each variable in 1^2 is replaced with a representative from the same equivalence class in VarldP. The 
result is ry 

In our example problem, one set of values for VarldP can be {{A}, {B}, {Nb}, {W}, {X}, 
{Y,Z}}. 

Step 4. (Split the problem) The next step of BSCA is to split into two sets of problems such that 
each set TV, has every problem with terms from the same theory, Thi (i £ {1,2}). 
Following this in our example, 

T 4A = {(W, [l,n a ] pk{B) ),(X, [l,N B ] pk{a) ),{Y, [2,A]),{Z, [2,b])}, 

and 



r 4 . 2 = {(W, X(BY®Y)}. 
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Step 5. (Solve systems) The penultimate step of BSCA is to partition all the variables in into a size 
of two: Let p = {V\ , V2 } is a partition of Vars(Vi, ) . Then, the earlier problems (T4. 1 , ^.2) are further split 
such that all the variables in one set of the partition are replaced with new constants in one of the set of 
problems and vice-versa in the other. 

In our sample problem, we can form {Vi,V2} as {^^(^3), {}}• i.e., we choose that all the variables 
in problems of ^.2 be replaced with new constants. This is required to find the unifier for the problem 
(this is the partition that will successfully find a unifier). 

Sor 5 .i stays the same as r 41 , but r 5 . 2 is changed to r 52 =r 4 .2j8 = {(W, X®Y®Y)}j5 = {(w, x® 
y ©y)}- i- e -> P = { W /W,x/X,y/Y}, where, w,x,y are constants, which obviously did not appear in Ts.i. 

Step 6. (Combine unifiers) The final step of BSCA is to combine the unifiers obtained in Step 5 for 
r 5 .i and r 5 . 2 : 

Definition 5. [Combined Unifier] 

Let r be a Th-UP where (Th\ U Th 2 ) = Th. Let a,- 6 A Thi (T 5J , i G {1,2} and let V t = Vars(T 5A ), 

i e {1,2}. 

Suppose '< ' is a linear order on Vars(T) such that Y < X ifX is not a subterm of an instantiation of 

Y: 

(VX,Y G Vars(T))((Y <X) => (flo)(XnYo)). 

Let least(X, T, <) be defined as the minimal element of set T, when ordered linearly by the relation 
'<'. i.e., 

least(X,r, <) & (VF G T)((Y^X) {X < Y)). 
Then, the combined UAfor T, namely ATh 1 uTh 2 > I s defined such that, 

AiajUTfcCT) = {a I (3ai,a 2 )((a = a Oa 2 ) A (d G A Thl (T 5A )) A(a 2 G A r/!2 (r 5 . 2 )))}. 

where, if o = 0\Q O2, then, 

• The substitution in a for the least variable in V\ and V2 is from <J\ and O2 respectively: 

(V/ G {1,2})((X G Vi) A least(X, Vars(r),<) (Xa =Xa,-)); and 

• For all other variables X, where each Y with Y < X has a substitution already defined, define 
Xo=XOiO (ie{l,2»; 



(V/ G {1,2})((VX G Vi)((W)((Y <X)A (3Z)(Z/Y G a))) (Xa =Xa t a)). 



